CVE-2026-5718
Arbitrary File Upload in Contact Form 7 Plugin Enables RCE
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpbeaverbuilder | drag_and_drop_multiple_file_upload_for_contact_form_7 | to 1.3.9.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to and including 1.3.9.6. This vulnerability arises because the plugin does not properly validate file types when custom blacklist types are configured, replacing the default dangerous extension denylist instead of merging with it. Additionally, the sanitization function wpcf7_antiscript_file_name() can be bypassed for filenames containing non-ASCII characters. As a result, unauthenticated attackers can upload arbitrary files, such as PHP files, to the server.
This arbitrary file upload can be exploited to achieve remote code execution on the affected server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to upload arbitrary files, including potentially malicious PHP files, which can lead to remote code execution on the affected server.
Such unauthorized access and control over server resources can result in the exposure, alteration, or destruction of sensitive data, thereby potentially violating data protection requirements under standards like GDPR and HIPAA.
Organizations using the vulnerable plugin may face compliance risks due to insufficient protection against unauthorized access and data breaches.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing unauthenticated attackers to upload malicious files to your server.
Such uploaded files, like PHP scripts, can be used to execute arbitrary code remotely, potentially leading to full server compromise.
This can result in data breaches, unauthorized access, service disruption, and loss of control over your website or server.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Drag and Drop Multiple File Upload for Contact Form 7 plugin to a version later than 1.3.9.6 where the issue is fixed.
Additionally, review and correct any custom blacklist configurations to ensure they merge with the default denylist rather than replace it, preventing unsafe file types from being uploaded.
Consider restricting file uploads to authenticated users and implementing additional server-side validation and sanitization for uploaded filenames, especially those containing non-ASCII characters.